Home / malware Win32.MyDoom.S@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.MyDoom.S@mm is also known as I-Worm.Mydoom.q, (KAV.
Explanation :
spreads via email, attatched with the name "photos_arc.exe"; the subject of the email is "Photos"; the body is "LOL!;))))" while the sender is spoofed
it avoids sending itself to certain email addresses containing several sub-strings
downloads as "winvpn32.exe" and executes it from the following addresses:
http://www.xxxxxxxxxx.com/ispy.1.jpg
http://www.xxxxxxxxxx.com/coco3.jpg
http://www.xxxxxxxxxx.com/guestbook/temp/temp587.gif
http://xxxxxxxxxxx.com/guestbook/temp/temp728.gif
the downloaded file is Backdoor.Surila, a component with stealth capabilities which makes it invisible in processes list and on hard drive
when download of the backdoor component was successful the folowing registry key is added as a marker "HKCUSOFTWAREMicrosoftInternet ExplorerInstaledFlashhMX" set to "1"
checks the mutex "43jfds93872" in order to avoid reinfection
copies itself to "%system%winpsd.exe" and "%windows%
asor38a.dll"
adds to the start up registry key "HKLMSoftwareMicrosoftWindowsCurrentVersionRun" the string "winpsd" which points to "%system%winpsd.exe"Last update 21 November 2011
